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Purpose of this policy 


This policy sets out the appropriate processes and procedures for 
the procurement of all goods and services at the ICO needed to 
enable the Commissioner to carry out her functions in line with 
statutory and strategic requirements. 


The policy applies to all ICO staff, secondees, agents and 
contractors, and should be read in conjunction with the ICO Scheme 
of Delegations. 


This policy is supported by the ICO strategy Openness by Design 
and seeks to facilitate the recommendations set out in the 
Commissioner's 2019 report to Parliament; Outsourcing Oversight? 


It is for budget holders to procure and manage all contracts 
appropriately, and all budget holders have a responsibility to 
comply with this policy. Support is available and should be sought 
from the Procurement Team or the Commercial Legal Team. 


All procurement questions should be addressed to the Procurement 


Team (procurement@ico.org.uk) and questions about contracts 
should go to the Commercial Legal Team at 


commerciallegal@ico.org.uk. 


A. Procurement process 
1. Legal and external considerations 


As a public body, the ICO is subject to the Public Contracts 
Regulations 2015 for our procurement activity. All ICO 
procurements should also comply with the principles of the EU 
Public Contracts Directive 2014 which includes equal treatment of 
bidders, fair competition, proportionality and transparency. 
Procurement should not discriminate against suppliers or bidders on 
the grounds of nationality. These principles shall apply to all 
procurements regardless of the contract value. 


We must also comply with the following: 
e Procurement Policy Notes (PPNs) issued by the Cabinet 
Office’s Crown Commercial Service. 
e The Management Agreement 2018-2021 with the Department 
for Digital, Culture, Media and Sport (DCMS). 
e Cabinet Office and DCMS spend controls. 
e Managing Public Money 2013 as updated in 2018. 


In the event of a conflict, the legislation and controls take 
precedence over ICO internal policies. 


As a public body we must also, where possible, follow LEAN 
methodology. The application of LEAN techniques aims to produce 
products and services that deliver in line with ICO requirements; ie 
the right quantity and quality of the product at the right time, in the 
right location, for the right price. For this reason it is good practice 
to involve the Procurement Team and the Commercial Legal Team 
at the initial planning stage of any project. 


2. Overview of the procurement process 


Our procurement process flow chart (overleaf - double click to open 
PDF - and available in ICON as a PDF document here) sets out the 
overall process we follow in procuring goods and services. 


Once the need for goods and services has been established and 
approved (by the Senior Leadership Team (SLT) if required), the 
procuring department should contact the Commercial Legal Team to 
see if there are existing contracts already in place that may fulfil 
their requirements as, where possible, we should consider whether 
an existing provider may be able to meet their requirements 


All approvals by SLT must be clear and transparent and records 
must be kept which confirm the SLT decision. 


Procuring Goods & Services 


identify the need & prepare a brief. 
Useful . 
* What Is It we wish to procure? 
+ How long will we need the service? 
+ Have all stakeholders been identified and 


involved? 


Speak to the department budget holder to obtain 
permission to procure. 


Spend Controls 
At this point you should check the Cabinet Office 
and DOMS spend controls to see if the 
service/supply falls under any of CO, ar DCMS, 
rules regarding spend. Speak to the Commercial 
Legal team for any guidance needed. 


y 


At this point you should consider any DPIA & PSIA issues that may arise due to the nature of the work to ensure that they are taken 
Into account when going out to market. If there are any issues ralse them with the relevant departments for guidance. 


If you need army guidance on going out to market, amy issues obtaining quotes or any other question please email 


gpa tte medula e 
finalising any agreement with a supplier. 


Government transparency requirements mean we must publish details of all our comtracts aver £10,000 on our website. You must 
inform Commercial Legal of the existence/proposed existence of any such contract and provide a copy for ICO's records. 
to contracts to reflect this requirement may need to be made. 


Prior to allocating additional work or orders, advice should be 
sought from the Commercial Legal Team and the Procurement Team 
on the contractual and procurement implications of this. 


Our procurement path will be determined by the nature and value 
of the goods or services being procured as detailed below. 


Total Contract Value | Procurement Process 
(including contract 
extensions) 


£1-4,999 1-3 quotes and note reasons for 


selection of the supplier 


£5,000-9,999 3 quotes and detailed note of the 


reasons for selection of the supplier 


£10,000-24,999 3-5 quotes and note in detail the 


reasons for the selection of the supplier 


£25,000-£181,301 Public procurement process must be 


followed. Seek advice from the 
Procurement Team and the Commercial 
Legal Team before contacting any 
potential suppliers. 


£181,302 and above OJEU Compliant framework or 
(OJEU threshold procurement process must be followed. 
2018/2019) Seek advice from the Procurement Team 


and the Commercial Legal Team before 
contacting any potential suppliers. 


The process comprises the following stages: 


Authority and budgetary permissions 

Initial instructions 

Assess available procurement avenues and the route to 
market 

Conduct the procurement process, to include feedback and 
award stages. A copy of the intended contract must be 
published with any tender documents. 

Evaluation and selection of suppliers. This should be 
undertaken by a minimum of 3 people. All conflicts of interest 
should be recorded 

Notification of outcome to bidders 

Finalise contract 

Post-award administration - to include publishing and storing 
the awarded contract 

Active contract management 


3. Record keeping 


It is essential that records are maintained throughout the 
procurement and contracts process. The ICO is subject to regular 
audits and detailed records must be accessible for both audit and 
freedom of information purposes. 


The procuring department must collaborate with the Commercial 
Legal Team and the Procurement Team to ensure that appropriate 
records are kept at each stage. Examples of the records that we 
expect to retain are: 
e Detailed business case confirming approval from SLT (where 
required) 
e Written confirmation of approval from DCMS, if required under 
the Spend Controls or Management Agreement 
e Written reasons or desk top analysis for the selection of 
suppliers 
e Evidence of quotes obtained prior to selecting a supplier 
e Instructions from the team or individual requesting the 
procurement of goods or services 
e Records of any contact made with potential suppliers - advice 
should be sought from the Procurement Team prior to any 
discussions or contact with potential suppliers for any spend 
over £24,999 
e Quotes from potential suppliers 
e Evaluation and scoring records 
e All correspondence with bidders including invitations to 
interviews and outcome letters 
e Notes of interviews or presentations by bidders 
e Notes of wash up meetings 
e Signed contracts - originals must be stored securely by the 
Commercial Legal team 


4. Practical considerations 


On selection of a successful supplier the procuring department will: 

e Complete the new supplier checklist (Annex 1) to enable 
Finance to set up a new supplier on our system and raise a 
Purchase Order number 

e Check whether the supplier needs to be, and is, paying a data 
protection fee to the ICO 

e Check whether the supplier is currently a subject of interest to 
the ICO as a regulator 


Responsibility for these checks sits with the procuring department, 


who should record the outcome of these checks and send copies to 
the Commercial Legal Team. 
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These checks need be undertaken prior to entering into a new 
contract with any supplier, irrespective of whether we have 
contracted with them previously. 
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Part B. Contractual considerations 


All ICO contracts will be drafted by the Commercial Legal Team who 
will liaise with the procuring department to obtain clear instructions. 


When drafting the contract the following need to be considered. This 
list is not exhaustive. 


1. Risk 


There are a number of factors which affect the level of risk in a 
contract, and which will change depending on the goods or services 
being procured. Examples of key risks to consider include: 
e How important to the work of the ICO are the goods or 
services 
e How easy would it be to find an alternative supplier 
e What is the total contract value 
e What are the cost to the ICO if the supplier makes a mistake 
or fails to provide the goods or services 
e Any limit of liability in the contract 
e How detailed is the description of the goods or services 
e How easy is it for the ICO or supplier to terminate the 
contract? 


In particular, and in all cases, we should consider if there are any 
personal data or security risks, including: 
e Transfer or use of, or other access to personal data 
e Transfer or use of, or other access to data obtained in the 
course of our regulatory role 
e Access to information relating to our practices and procedures 
as a regulator 
e Access to information that may prejudice the Commissioner’s 
functions 
e A supplier’s need to physically access our premises or systems 
e The contract requires a supplier to assume a public-facing role 
on behalf of the Commissioner 
e Actual or perceived conflicts of interest on the part of any ICO 
staff 


The procuring department is ultimately responsible for determining 
what risks are acceptable in any given procurement, having due 
regard to the Scheme of Delegations and any advice given by 
colleagues in the relevant teams. 


Staff are reminded that our Code of Conduct requires that any 
actual or perceived conflicts of interest are declared using the forms 
available on ICON and an assessment of those risks undertaken 
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prior to engaging any supplier. The Commercial Legal Team will 
provide advice about the risks in a given situation. 


2. Security 


All original copies of contracts are stored securely in the Commercial 
Legal fireproof filing cabinet. Contracts must not be stored in 
lockers or in work cabinets unless staff are unable to access the 
Commercial Legal Team or the Commercial Legal filing cabinet due 
to time constraints or logistical reasons. Any contracts stored 
outside of the Commercial Legal filing cabinet must be transferred 
there by the end of the next working day. 


Consideration should be given to any risk to the security of the 
Commissioner, staff, buildings, IT facilities or information assets. It 
may be necessary to include provisions in the contract for supplier 
personnel to have security clearance or DBS checks. The 
Commercial Legal Team may liaise with other ICO departments to 
help assess this risk and ensure appropriate measures are included 
in the contract. 


3. GDPR and other ICO legislation 


The nature of our work means that we must uphold the highest 
standards in relation to data protection, freedom of information and 
any other legislation that we regulate. It is the responsibility of the 
procuring department to ensure that a DPIA/PSIA is completed prior 
to entering into any contract with a supplier. Commercial Legal 
should be notified of any risks highlighted so that appropriate 
provisions can be included within the contract. 


Procuring departments must be clear on the extent of any 
information sharing, the relationship between the ICO and the 
supplier, ie controller/processor, and the safeguards that must be 
applied within our contracts in each situation. Contract terms should 
align with the knowledge packs issued by the policy teams and 
official ICO guidance published on our website. Any deviation from 
these will require written approval from an Executive Team 
member. 


4. Authorised Signatory 
ICO contracts may only be signed by those employees with the 
requisite authority to do so (see Annex 2). These limits are subject 


to the limits set out in the DCMS Management Agreement and 
Spend Controls. 
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Staff should note the difference between levels of approval required 
for purchase orders or invoices as set out in the Scheme of 
Delegations. These arise as the payment of an invoice or approval 
of a purchase order does not normally create a legal obligation on 
behalf of the ICO. The contract is the point at which we create a 
legal obligation for the ICO, so much stricter controls are needed. 


Purchase orders or payment of invoices should not be approved 
without a valid contract being in place, unless this has been 
specifically approved in accordance with the New Supplier Checklist. 
This includes any agreement that may not have a direct monetary 
value, such as a data sharing or non-disclosure agreement or a 
memorandum of understanding (MoU). 


An MoU that requires any form of payment by the ICO, even if low 
value, is in legal terms a contract and must be drafted or reviewed 
by the Commercial Legal Team prior to signing. 


All contracts relating to land, eg leases or any other contracts 
requiring the Commissioner’s seal, must only be signed by either 
the Commissioner, or someone with delegated authority to attest 
the Commissioner’s seal. Details of those individuals with 
appropriate authority can be obtained from Corporate Risk and 
Governance. 


Secondees, agents, contractors and agency staff are not permitted 
to sign contracts on our behalf. This is because there are different 
contract arrangements for these individuals. 


5. Termination 


Where possible, all contracts should include a no-fault one-month 
termination clause. Budget holders must seek advice from the 
Commercial Legal Team before taking any steps to terminate a 
contract for any reason. This is to ensure that the ICO complies with 
any contractual provisions around termination or notice. 


6. Single Tender Contracts 


All uses of Single Tender Contracts need approval prior to 
proceeding; please see section 2.2 of the Management Agreement 
with the DCMS available here. The use of a single tender is only 
acceptable if there is no other reasonable alternative supplier. This 
needs to be justified and documented prior to the procurement 
activity commencing. 
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All single award contracts over the value of £25k will be reported to 
Audit Committee on an annual basis. This will also include 
accumulative contracts over a two year period that combined come 
to over £25k. 
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Part C. Contract management procedures 
1. Overview 


Procuring departments are responsible for the required outcomes 
for each contract and should be accountable for successful contract 
performance. If there are any concerns about a supplier, assistance 
and advice should be sought from the Commercial Legal Team and 
the Procurement Team to ensure that we comply with our 
contractual obligations. 


The focus should be on successful outcomes and procuring 
departments are expected to take account of public service and 
accountability obligations and risks. It is the procuring department’s 
responsibility to ensure they are familiar with the provisions of their 
contract and the ICO’s expectations of their chosen supplier. 


Prior to any discussions with the Commercial Legal Team and the 
Procurement Team about options for engaging a supplier, procuring 
departments should consider whether KPIs or other performance 
indicators are appropriate for the contract. 


It is expected that all ICO IT contracts will contain performance 
measures such as Service Level Agreements and KPIs as standard. 


In order to ensure the ICO receives value for money, procuring 
departments should: 

e measure and report to the relevant Director on performance 
of their contracts on a regular basis; 

e use KPIs and data efficiently to incentivise good performance 
from suppliers; 

e administer contracts proactively and efficiently, making 
maximum use of benchmarking and performance 
measurement data; 

e use a balanced scorecard to measure hard data such as KPI 
performance alongside soft measures such as customer 
satisfaction and relationship management, with a focus on 
achievement of outcomes; 

e react quickly to issues when they arise; 

e ensure KPIs and incentives are appropriate and proportionate 
to the contract; and 

e challenge KPIs and incentives regularly and where 
appropriate, ensure a mechanism to change and evolve them 
through the life of the contract. 
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2. Performance review 


The procuring department is responsible for highlighting any 
concerns about performance under the contract to the Commercial 
Legal Team. In the first instance, you should liaise with the supplier 
and try to resolve the issues informally either by email or phone 
call. Phone calls should be followed up with an email which sets out 
any agreement reached with the supplier including any timescales 
agreed to remedy the problem. 


It is expected that in the case of our IT or higher value (above 
OJEU)/risk contracts, regular service review meetings should be 
conducted between the supplier and procuring department so that 
issues can be resolved quickly and with minimal disruption. 


Those engaged in IT procurement (or higher value/risk contracts) 
should consider the following contract monitoring options: 
e the use of milestones and deliverables; 
e end user satisfaction surveys; 
e service uptime and responsiveness requirements; 
e business support metrics such as, service ticket response 
times; 
e the provision of service credits when required performance 
levels are not met; and 
e the provision of performance metrics by the supplier so that 
performance levels can be monitored. 


3. Signed contracts 

Once a contract is signed by the authorised signatory, original 
copies are to be sent to the Commercial Legal Team for scanning 
and storage. 

Original copies are stored in individual numbered envelopes in the 
fireproof filing cabinet in Wycliffe House. Details of each new 
contract stored are listed in the cabinet index. 


Scanned copies are kept in the relevant EDRM folder created for the 
awarded supplier and contract. 


4. Publishing information about awarded contracts 

All relevant contracts are published on Contracts Finder. 

In the interests of transparency, each month on our website we 
publish details of contracts awarded with a value in excess of 


£10,000. 
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5. Contracts register 


Details of signed contracts are logged on the contracts register 
which is managed by the Commercial Legal Team (see Annex 4). 


The contracts register includes a periodic review date. For low risk 
contracts the review date may be annual. For higher risk contracts, 
the review date may be biannually or quarterly. 


6. Contract checks — periodic and pending expiry 


The Commercial Legal Team and Procurement Team will contact the 
procuring department about any contracts flagged for periodic 
review. The procuring department is requested to complete the 
monthly contract review checklist (see Annex 3) to identify whether 
there are any issues. 


Along with this review document, the procuring department will 
receive a summary of the total financial expenditure to date. This is 
to provide a prompt for the procuring department to review whether 
re-procurement, a further Purchase Order or additional budgetary 
permissions are required. 


Where contracts run for 18 months or less, the Commercial Legal 
Team and Procurement Team will schedule a review date at an 
appropriate midpoint. 


In addition to annual checks, a contract expiry review is scheduled 
in the ICO contracts register 3-6 months prior to the contract end 
date. The date of this review will depend on the likely time needed 
to re-procure the goods or services. At this point the Commercial 
Legal Team and the Procurement Team will contact the procuring 
department to establish whether the contract is to be extended, 
terminated or re-procured. 


It is the responsibility of the procuring department to respond to the 
review in sufficient time to allow the Commercial Legal Team and 
the Procurement Team, to either give notice to terminate the 
contract, draft an extension to the contract if this is required or re- 
procure the goods and/or services. 
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Annex 1: New supplier checklist (to send to Finance and 
Commercial Legal) 


It is assumed that by this stage a check of the viability of the 
company has been assessed by the delegated authority and the 
Commercial Legal Team where necessary. 


The following information has to be provided by the supplier to 
enable the Commercial Legal Team to authorise the set-up of a new 
supplier. An e-mail from the supplier will suffice, or it can be a pdf 
document, or a quote on company letter head. For authenticity 
purposes, this needs to be the original email sent by the supplier 
with any attachment (it cannot be second hand information, which 
means you have to email the supplier's original e-mail as an 
attachment to Finance and the Commercial Legal Team rather than 
forwarding it). 


The following information will be required: 

Business name 

ICO registration number 

Company registration number 

Full business address (to include town and postcode) 

Email address (for payment remittances to be sent to) 

Account name/Sort Code/Account Number (provided by 

the supplier on letterhead paper) 

e What will the work involve? 

e Is it regular work or a one off spend? 

e What the likely total contract value or spend with 
supplier will be 

e Any terms and conditions 


Additional useful information which may be provided: 
Account Manager/Key Contact 
Email 
Telephone number 


Please request the above details from the supplier and send 


them to both finance.queries@ico.org.uk and 
CommercialLegal@ico.org.uk 


There may be delays in setting up suppliers if this required 
information is not complete. 
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Please provide the following information to the supplier: 
Dear Supplier, 


Our billing address is: 
Finance Department 
Information Commissioner's Office 
Wycliffe House, 
Water Lane, 
Wilmslow, Cheshire 
SK9 5AF 


We require a purchase order number to be referenced on your 
invoice before we can make payment. Please e-mail invoices to 


finance@ico.org.uk 
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Annex 2: Authorised Contract Signatories 


Designated Officer 


Maximum contract value and 
type 


Commissioner plus Head of 
Finance (level G) or Director of 
Resources (level G2) or DCEO 


(level H) 


e Unlimited 
e All contracts? 
e MoUs 


Level H plus Head of Finance 


(level G) or Director of 
Resources (level G2) 


e Unlimited 
e All contracts* 
e MoUs 


Director (G2) plus Head of 
Finance (level G) 


e Up to £1,000,000 for IT 
contracts 

e Up to £500,000 for all 
other contracts? 

e MoUs 


Director (level G2) 


e Up to £100,000 for all 
contracts! 
e MoUs 


Head of Department (level G) 


e Up to £25,000 


1 except those requiring the Commissioner's Seal which only the Commissioner or 
an officer with specific delegated authority under paragraph 7 of schedule 12 to 


the Data Protection Act 2018 can sign 
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Annex 3: Monthly contract review checklist 


Quality Assurance overview 


Points to consider Y/N | Comment 
(For each point, please 
provide some brief detail.) 


1. Is the service what was 
expected? 


2. Has the supplier 
delivered everything 
that was agreed under 
the contract? 


3. Are you happy with the 
quality of service 
provided in respect of 
the deliverables? 


4. Has the service 
developed or changed 
over last 12 months? 


5. If the service has 
changed/developed, are 
any amendments 
necessary to any privacy 
notice (Staff or ICO 
general privacy notice) 
available here? 


6. If the service has 
changed/developed, 
have you considered 
whether a further PSIA 
should now be 
undertaken? 


7. Have you reviewed any 
existing PSIA in respect 
of this contract? 


8. Have you considered the 
financial resilience of the 
supplier to provide the 
goods and/or services 
over the next 12 
months? 
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Annex 4: Contracts register — information 


The ICO contracts register includes the following fields: 


Department 


Type: Direct Contract (C), Licence (L) and Framework Call-Off 
(F.Co) and reference 


Goods / Services contracted 
Supplier Name 
Supplier Contact Details 


Effective Date (DD/MM/YY) - if service commencement date is 
different, included in brackets 


Initial Term (plus options to extend) 
Initial Term End Date / Extension Term End Date (DD/MM/YY) 
Notice / Breakpoint 


Estimated Total Contract Value (ex. VAT) (where VAT is 
included, stated as comment) 


Annual Contract Value 

Actual spend so far 

Reminder data for Budget Holder (DD/MM/YY) 
ICO Service Manager 


Signed Original location (usually fire safe cabinet on first 
floor) 


Environmental terms included? 
Where / what / when published 
Over £10k TCV (Y/N) 


Confirmed by Budget Holder as live for contracts audit (Y/N) 
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